'no vpc' AWS Lambda accessing RDS in VPC

0
votes

I have a lambda connected to an API gateway; it's deployed using sls and works great. However, it's datastore is an Aurora that is in the default VPC and is set to public. This is less than ideal, security-wise.

I have, in the past, set up Auroras in their own VPC on private subnets and had ec2s in that VPC easily access it. However, all of the material I have read about getting a lambda to use a VPC RDS states that the lambda itself should also reside in the VPC.

This concerns me because of the cold start issue. So, my questions are:

  1. Is there a way for my 'no vpc' lambda to access an Aurora RDS that
    lives in its own VPC without putting the lambda into the VPC itself?

  2. There has been talk for some time that aws will be addressing the lambda VPC 'cold start' issue soon. Do we know when that is anticipated to happen? Will existing lambdas benefit from this change once it is instituted?

  3. Is there some other method of securing a public RDS to restrict access to only my lambda (besides the obvious user/pass credentials)?

Thanks in advance

1
amazon-web-servicesaws-lambda

1 Answers

3
votes

1. Is there a way for my 'no vpc' lambda to access an Aurora RDS that lives in its own VPC without putting the lambda into the VPC itself?

No, if your RDS instance is not publicly accessible then your Lambda must be deployed in your VPC.

2. There has been talk for some time that AWS will be addressing the lambda VPC 'cold start' issue soon. Do we know when that is anticipated to happen? Will existing lambdas benefit from this change once it is instituted?

I don't think that a specific timeline has been officially communicated for this feature. Existing Lambda functions will obviously benefit from this change (after all, Lambda functions are just code that is continuously redeployed on containers). Information about the new architecture: AWS Lambda in a VPC Will Soon be Much Faster

3. Is there some other method of securing a public RDS to restrict access to only my Lambda (besides the obvious user/pass credentials)?

You can use IAM Database Authentication with Aurora. With this method, authentication is managed externally using IAM.